Closed Bug 1464243 Opened Last year Closed Last year

Assertion failure: aOutSlice.TopBottom() <= minSize.height, at src/gfx/thebes/gfxBlur.cpp:493

Categories

(Core :: Graphics: Layers, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla62
Tracking Status
firefox-esr52 --- wontfix
firefox-esr60 --- wontfix
firefox60 --- wontfix
firefox61 --- wontfix
firefox62 --- fixed

People

(Reporter: tsmith, Assigned: nical)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 1 obsolete file)

Attached file testcase.html
Reproduced with m-c:
BuildID=20180523220103
SourceStamp=47e81ea1ef10189ef210867934bf36e14cf223dc

Assertion failure: aOutSlice.TopBottom() <= minSize.height, at src/gfx/thebes/gfxBlur.cpp:493

#0 ComputeMinSizeForShadowShape(mozilla::gfx::RectCornerRadii const*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) src/gfx/thebes/gfxBlur.cpp:492:3
#1 GetBlur(gfxContext*, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectCornerRadii const*, mozilla::gfx::Color const&, bool, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntMarginTyped<mozilla::gfx::UnknownUnits>&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>&) src/gfx/thebes/gfxBlur.cpp:579:5
#2 gfxAlphaBoxBlur::BlurRectangle(gfxContext*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::RectCornerRadii const*, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::Color const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&) src/gfx/thebes/gfxBlur.cpp:963:37
#3 nsContextBoxBlur::BlurRectangle(gfxContext*, nsRect const&, int, mozilla::gfx::RectCornerRadii*, int, mozilla::gfx::Color const&, nsRect const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, double> const&) src/layout/painting/nsCSSRendering.cpp:4618:3
#4 nsCSSRendering::PaintBoxShadowOuter(nsPresContext*, gfxContext&, nsIFrame*, nsRect const&, nsRect const&, float) src/layout/painting/nsCSSRendering.cpp:1768:7
#5 nsDisplayBoxShadowOuter::Paint(nsDisplayListBuilder*, gfxContext*) src/layout/painting/nsDisplayList.cpp:5776:5
#6 mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) src/layout/painting/FrameLayerBuilder.cpp:6434:15
#7 mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:6591:19
#8 mozilla::layers::BasicPaintedLayer::PaintThebes(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicPaintedLayer.cpp:94:9
#9 mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:706:13
#10 mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#11 mozilla::layers::BasicLayerManager::PaintSelfOrChildren(mozilla::layers::PaintLayerContext&, gfxContext*) src/gfx/layers/basic/BasicLayerManager.cpp:729:7
#12 mozilla::layers::BasicLayerManager::PaintLayer(gfxContext*, mozilla::layers::Layer*, void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*) src/gfx/layers/basic/BasicLayerManager.cpp
#13 mozilla::layers::BasicLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/basic/BasicLayerManager.cpp:616:5
#14 mozilla::PaintInactiveLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, gfxContext*, gfxContext*) src/layout/painting/FrameLayerBuilder.cpp:4051:12
#15 mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::AssignedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float) src/layout/painting/FrameLayerBuilder.cpp:6420:7
#16 mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) src/layout/painting/FrameLayerBuilder.cpp:6591:19
#17 mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) src/gfx/layers/client/ClientPaintedLayer.cpp:158:5
#18 mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) src/gfx/layers/client/ClientPaintedLayer.cpp:314:3
#19 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
#20 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
#21 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
#22 mozilla::layers::ClientContainerLayer::RenderLayer() src/gfx/layers/client/ClientContainerLayer.h:58:29
#23 mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:359:13
#24 mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) src/gfx/layers/client/ClientLayerManager.cpp:423:3
#25 nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) src/layout/painting/nsDisplayList.cpp:2800:19
#26 nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3843:12
#27 mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6312:5
#28 nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
#29 nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
#30 nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
#31 nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2039:11
#32 mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301:7
#33 mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5
#34 mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:760:5
#35 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673:35
#36 mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9
#37 mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
#38 mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#39 mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
#40 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
#41 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
#42 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
#43 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
#44 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
#45 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#46 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#47 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#48 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#49 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
#50 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#51 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#52 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:326:10
#53 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299:3
#54 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#55 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#56 main src/browser/app/nsBrowserApp.cpp:282:18
#57 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#58 _start (firefox+0x423434)
Flags: in-testsuite?
The test case has a -webkit-perspective: 1px applied which is pretty intense.

My guess is that we are be getting a huge rect here https://searchfox.org/mozilla-central/rev/bf4def01bf8f6ff0d18f02f2d7e9efc73e12c63f/layout/painting/nsCSSRendering.cpp#4610 and overflow later when converting it to int here https://searchfox.org/mozilla-central/rev/bf4def01bf8f6ff0d18f02f2d7e9efc73e12c63f/gfx/thebes/gfxBlur.cpp#959.
Interestingly I wasn't able to trigger the assertion with this test case. That said the values I get for the rect are indeed well beyond the range of values that we can properly handle, so it can't hurt to add a safe-guard at the beginning of BlurRectangle that early-returns if we have a size that we know we won't be able to allocate an intermediate surface for, or xy cordinates that later won't fit into a 16.16 fixed point that some of the painting backends typically use.
Assignee: nobody → nical.bugzilla
Attachment #8980583 - Flags: review?(bas)
Comment on attachment 8980583 [details] [diff] [review]
Bail early when running into a blur rect that we know won't be able to render.

Review of attachment 8980583 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/thebes/gfxBlur.cpp
@@ +955,5 @@
>                                 const gfxRect& aDirtyRect,
>                                 const gfxRect& aSkipRect)
>  {
> +  const double max = (double)gfxPlatform::MaxTextureSize();
> +  const double max_coord = (double)std::numeric_limits<std::int16_t>::max();

nit: maxCoord, you're not in rust code here :-).

More importantly, why can't we limit this to int32_t max?
Flags: needinfo?(nical.bugzilla)
> More importantly, why can't we limit this to int32_t max?

I used int16 because some of the painting backends will eventually convert these values to 16.16 fixed point so the that's the safe range to use. I think that the int16 range is more than enough in this particular case but in a subsequent patch that adds debug assertions everywhere we cast points, rects and sizes, I used a more conservative range (int32 max) instead. 
I subtracted one to be safe since the value can be rounded up or down.
Flags: needinfo?(nical.bugzilla)
TBH I don't feel very strongly about int16 vs int32 in this case. I think that int16 is fine (as a limitation) and safer but it might just be ok to go with int32 and let the painting backend deal with potential overflow (which I hope they do properly).
Same patch without the snake case. Lemme know if you prefer to use int32 max as the limit instead of int16 max.
Attachment #8980583 - Attachment is obsolete: true
Attachment #8980583 - Flags: review?(bas)
Attachment #8981099 - Flags: review?(bas)
Comment on attachment 8981099 [details] [diff] [review]
Bail early when running into a blur rect that we know won't be able to render.

Review of attachment 8981099 [details] [diff] [review]:
-----------------------------------------------------------------

Nah it's fine.
Attachment #8981099 - Flags: review?(bas) → review+
Pushed by nsilva@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/86ef0de352d2
Early return when running into blur rects that are way too large. r=Bas
https://hg.mozilla.org/mozilla-central/rev/86ef0de352d2
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
Can we land the attached testcase as a crashtest?
Flags: needinfo?(nical.bugzilla)
Depends on: 1474722
Blocks: 1474940
> Can we land the attached testcase as a crashtest?

Sorry for the delay, added in bug 1474940.
Flags: needinfo?(nical.bugzilla)
You need to log in before you can comment on or make changes to this bug.